This is a followup to #2868079: Add a default Content-Security-Policy-header for svg files.
Modules can override the header for private files with their own event subscriber (and currently CSP module does apply its configured site-wide policy), but we don't have a mechanism for modules to alter the contents inserted into the htaccess file.
We should at least have a guide for devs on how to override the value included in the htaccess file, better if the policy could be changed for both methods through one service parameter (possibly enabling a Report-Only policy as well if configured), and ideally modules have a straightforward means of altering / overriding core consistently.
Comments